The European Regulation (EU) 2016/679 (“GDPR”) establishes rules on the protection of individuals for what concerns the processing of personal data (“Data”), and rules on the free circulation of those data. In compliance with Articles 13 and 14 GDPR and the principle of transparency referred to in Article 5 of the GDPR, we inform you that CLIVET S.P.A., during pre-contractual negotiations, in the drafting of a contract with its BtoB or BtoC customers or with its suppliers, or in the execution of checks, verifications or audits to which it is subjected or, in the course of bid comparisons (hereinafter, for brevity, the "Business Relationship") processes Data concerning: 

• for BtoB customers and for suppliers: a) the owner (if applicable: e.g. sole proprietorship, professional firm); b) the legal representative and/or employees/collaborators of BtoB customers or potential customers or suppliers or potential suppliers (hereinafter referred to as “Business Partner” for brevity);
• for BtoC customers: a) the customer or potential customer who is a natural person (“Customer”);

(hereinafter, all the aforementioned persons, “Data Subjects”). 

CLIVET S.P.A. therefore provides the Data Subjects with the following information regarding the processing of Data. This information does not exclude the possibility that more information regarding Data processing may also be provided to the Data Subjects in other ways and within different timeframes.

DATA CONTROLLER. HOW TO CONTACT THE CONTROLLER 

The Data Controller is CLIVET S.P.A., with registered office at Via Camp Lonc no. 25, Z.I. Villapaiera, Feltre (BL) - VAT no. (hereinafter “Company or Controller”) 

For all questions relating to the processing of data and the exercise of rights arising from the GDPR and for any doubts or clarifications concerning this Policy, the data subject may contact the Controller by sending a registered letter with acknowledgement of receipt to the address below, or a message to the following email address: privacy@clivet.it.

CONTACT DETAILS OF THE DATA PROTECTION OFFICER (DPO)

The DPO appointed by the Controller can be contacted by sending an email to: dpo@clivet.it

DATA CATEGORIES PROCESSED

1. BtoB or PROSPECT BtoB CUSTOMERS, SUPPLIERS / POTENTIAL SUPPLIERS
(companies and professionals)

If applicable (e.g. business relationship with sole proprietor/professional), common personal data of the holder, consisting of identification data (first name, surname); contact data (telephone number, email address); role. 

In the case of business relationships with companies, common personal data of the legal representative.

In both cases, the Controller may also process Data of the Business Partner's employees/collaborators, consisting of: identification data (name and surname); contact data (telephone number, email address); data relating to the task performed.

1.1 PURPOSES AND LEGAL BASIS OF PROCESSING

The Data are processed in order to establish and start the Business Relationship between the Company and the Business Partner, where the data subject holds the role of data controller or performs his/her work/collaboration.
 
The processing of Data is necessary:

a)    for the performance of a contract to which the data subject is party or the performance of pre contractual measures taken at his or her request (Art. 6, para. 1(b) of the GDPR); 

b)    to comply with an obligation that the Controller is subject to (Art. 6, para. 1(c) of the GDPR (e.g. tax compliance).

The processing of Data of employees/collaborators of the Business Partner, instead, is necessary:

c)    for the pursuit of the legitimate interest of the Controller, consisting in the establishment and full and proper performance of the business relationship, pursuant to Art. 6, para. 1(f) of the GDPR).

1.2 RETENTION PERIOD 

10 years from the termination of the Business Relationship.

2. BtoC or PROSPECT BtoC CUSTOMERS 
(customers who are natural persons)

Common personal data of the Customer, consisting of, but not limited to: identification data (name and surname); contact data (telephone number, email address), other data necessary for billing, payments, processing of the order.

2.1 PURPOSES AND LEGAL BASIS OF PROCESSING

The Data are processed to establish and start the business relationship with the Customer (e.g. preparation of the quote, conclusion of the contract, processing of the order, management of tax obligations). 

The processing of Data is necessary:
a)    for the performance of a contract to which the data subject is party or the performance of pre contractual measures taken at his or her request (Art. 6, para. 1(b) of the GDPR);
b)    to comply with an obligation that the Controller is subject to (Art. 6, para. 1(c) of the GDPR (e.g. tax compliance).

2.2 RETENTION PERION

10 years from the termination of the Business Relationship.

3. COMMON PERSONAL DATA OF THE PERSONS REFERRED TO IN POINTS 1 AND 2.

To exercise or defend a right of the Controller in relation to the Business Relationship.

The processing of Data is necessary for the Data Controller to pursue his legitimate interest pursuant to Art. 6, para. 1(f) of the GDPR).

3.1 RETENTION PERIOD

For the duration of a litigation, if applicable, until the deadlines for appeal have ended.

4. COMMON PERSONAL DATA OF THE PERSONS REFERRED TO IN POINTS 1 AND 2.

Where applicable, the Data may also be processed for the performance of controls, checks or audits to which the Controller is subject or in the course of bid comparisons.

The processing of Data is necessary for the Data Controller to pursue his legitimate interest pursuant to Art. 6, para. 1(f) of the GDPR).

4.1 RETENTION PERIOD

For the time strictly necessary to achieve the purposes (Art. 5 of the GDPR.)

5. COMMON PERSONAL DATA OF THE PERSONS REFERRED TO IN POINTS 1 AND 2.

To permit direct marketing by the Data Controller: to send to the data subject - by post, e-mail, text message, telephone calls with or without an operator or other means used by the Data Controller - information material, promotional, commercial and advertising communications (e.g. newsletters) or communications relating to the Data Controller's events and initiatives, and to carry out market research and satisfaction surveys concerning the Data Controller's products/services. 

Processing is carried out only with the express consent of the data subject (Art. 6.1(a) of the GDPR), except in cases of so-called “soft spam” as described below. Consent is obtained in the manner identified by the Controller (e.g. paper or online forms). 

Data Subjects are informed that, in Italy, the Privacy Code (Art. 130(4) of Legislative Decree 196/2003 as amended) allows soft spam. This means that it is not necessary to obtain the explicit consent of the data subject to use the email address provided with a previous purchase for the purpose of direct sales of products or services similar to those that the data subject has already purchased from the Controller, on condition that the data subject does not object to such use. It should be noted that the data subject may object to this processing at any time by contacting the Controller or by clicking on the relevant link to object to the receipt of emails with commercial content sent by the Controller that are considered to be unsolicited. 

5.1 RETENTION PERIOD

5 years from obtaining consent, unless renewed.

PROCESSING METHODS

The data processing is carried out using both paper and electronic methods, in compliance with the current provisions regarding data protection and, specifically, the technical and organisational methods pursuant to Art. 32.1 of the GDPR, taking precautionary measures to guarantee their integrity, confidentiality and availability. The processing referred to in this Circular Letter is not subject to automated decision-making processes.

CATEGORIES OF DATA RECIPIENTS

The Data are not disclosed. The Data are processed by persons specifically authorised by the Data Controller, who have received specific operating instructions pursuant to Art. 29 of the GDPR. 
Please also note that the Data may be made known to:

• MIDEA GROUP and the other companies of the MIDEA Group, to which CLIVET belongs, in compliance with the guarantees of the GDPR and specific agreements with the Controller;
• parties external to the Company who process the Data on behalf of the latter in their capacity as data processors (e.g. suppliers of IT services) or who are entitled to know the Data in their capacity as autonomous data controllers (e.g. public institutions, credit institutions, lawyers). 

Please note that the updated list of Data Processors appointed pursuant to Art. 28 GDPR is kept by the Data Controller and can be made available to the Data Subject on request.

SOURCE OF THE DATA. NATURE OF DATA PROVISION  

The Data are collected from the Data Subject or, if applicable, acquired from third parties. The provision of Data is needed to carry out the purposes set out i this Policy. Refusal to provide Data will therefore make it impossible for the Controller to establish or fully and correctly start the Business Relationship.

TRANSFER OF PERSONAL DATA TO THIRD COUNTRIES

The Data may be transferred to countries not belonging to the European Union/EEA Area. In particular, the data may be transferred to the other companies of the MIDEA Group, to which the Data Controller belongs, and to the MIDEA GROUP Parent Company based in China. The Controller guarantees that any transfer of Data shall take place in full compliance with the conditions in Chapter V of the GDPR (Art. 44 et seq.), in order to ensure that the level of protection afforded to natural persons by the GDPR is in no way affected. Any transfer will therefore only be made to those countries that the European Commission has judged can guarantee an adequate level of protection, in accordance with the provisions of Art. 44 of the GDPR or in compliance with particular set contractual clauses approved by the European Commission pursuant to Art. 46 of the GDPR, and only on condition that the recipient of the data provides adequate guarantees and that the data subjects have enforceable rights and effective remedies. In the latter case, the Data Subject is informed that he/she has the right to request a copy of the standard contractual clauses signed by the Data Controller. Any exceptions to the above will only occur in full compliance with Art. 49 of the GDPR. 

RIGHTS OF THE DATA SUBJECT. COMPLAINTS TO THE SUPERVISORY AUTHORITY

By sending a registered letter with acknowledgement of receipt to the Company's registered office or an email to privacy@clivet.it, the Data Subject may contact the Data Controller at any time to request:
a)    access to Data concerning him/her;
b)    rectification of the Data;
c)    erasure of the Data, within limits established by the GDPR;
d)    limits to the processing of Data pursuant to the conditions set out in Art. 18 of the GDPR;
e)    the portability of these Data in a structured format, in the cases set out in Art. 20 of the GDPR;
f)    opposition to the processing of these Data, pursuant to Art. 21 of the GDPR.
For processing based on consent (data marketing), the data subject also has the right to withdraw his or her consent to the processing of personal data at any time. In any case, the withdrawal of consent does not jeopardize the lawfulness of the processing based on the consent before the withdrawal.

If the Data Subject considers that the processing of his/her data violates the GDPR, he/she also has the right to lodge a complaint with the Supervisory Authority. In Italy, this Authority is represented by the Personal Data Protection Officer based in Rome. The data subject residing abroad may lodge complaints with the designated Supervisory Authorities in the country of residence.